feat: sign protected pdfs

.classpath

@@ -22,6 +22,8 @@
 	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-17">
 		<attributes>
 			<attribute name="maven.pomderived" value="true"/>
+			<attribute name="module" value="true"/>
+			<attribute name="add-exports" value="jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED"/>
 		</attributes>
 	</classpathentry>
 	<classpathentry kind="con" path="org.eclipse.m2e.MAVEN2_CLASSPATH_CONTAINER">

.github/workflows/test.yaml

@@ -22,17 +22,17 @@ jobs:
           - os: windows-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up JDK
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           java-version: '17.0.7+7'
           distribution: 'liberica'
           java-package: 'jdk+fx'
 
       - name: Cache local Maven repository and JDK cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: |
             ~/.m2/repository
@@ -42,9 +42,7 @@ jobs:
             ${{ runner.os }}-maven-
 
       - name: Run tests
-        run: ./mvnw test
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: ./mvnw test -P system-jdk
 
       - name: JaCoCo Code Coverage Report
         id: jacoco_report

.gitignore

@@ -32,3 +32,5 @@ secret
 /fakeTokenDriver
 
 /cache
+
+.classpath

pom.xml

@@ -29,6 +29,7 @@
         <snakeyml.version>2.2</snakeyml.version>
         <jimfs.version>1.3.0</jimfs.version>
         <testExcludedGroups>HttpSmokeTest</testExcludedGroups>
+        <skip-jdk-cache>false</skip-jdk-cache>
     </properties>
 
     <dependencyManagement>
@@ -313,6 +314,7 @@
                             <goal>cache-jdk</goal>
                         </goals>
                         <configuration>
+                            <skip>${skip-jdk-cache}</skip>
                             <jdkPathProperty>jlink.jdk.path</jdkPathProperty>
                             <jdkCachePath>${project.build.directory}${file.separator}jdkCache</jdkCachePath>
                             <authorization>${github.auth}</authorization>
@@ -504,6 +506,14 @@
             </properties>
         </profile>
 
+        <profile>
+            <id>system-jdk</id>
+            <properties>
+                <jlink.jdk.path>${env.JAVA_HOME}</jlink.jdk.path>
+                <skip-jdk-cache>true</skip-jdk-cache>
+            </properties>
+        </profile>
+
         <profile>
             <id>smoke</id>
             <build>

src/main/java/digital/slovensko/autogram/core/Autogram.java

@@ -4,10 +4,12 @@
 import digital.slovensko.autogram.core.visualization.DocumentVisualizationBuilder;
 import digital.slovensko.autogram.core.visualization.UnsupportedVisualization;
 import digital.slovensko.autogram.drivers.TokenDriver;
+import digital.slovensko.autogram.model.AutogramDocument;
 import digital.slovensko.autogram.ui.BatchUiResult;
 import digital.slovensko.autogram.ui.UI;
 import digital.slovensko.autogram.util.Logging;
 import digital.slovensko.autogram.util.PDFUtils;
+import eu.europa.esig.dss.enumerations.SignatureLevel;
 import eu.europa.esig.dss.model.DSSException;
 import eu.europa.esig.dss.pdfa.PDFAStructureValidator;
 import eu.europa.esig.dss.spi.x509.tsp.TSPSource;
@@ -56,22 +58,45 @@ public void checkPDFACompliance(SigningJob job) {
             return;
 
         ui.onWorkThreadDo(() -> {
-            var result = new PDFAStructureValidator().validate(job.getDocument());
+            // PDF/A doesn't support encryption
+            if (job.getDocument().hasOpenDocumentPassword()) {
+                ui.onUIThreadDo(() -> ui.onPDFAComplianceCheckFailed(job));
+                return;
+            }
+
+            var result = new PDFAStructureValidator().validate(job.getDocument().getDSSDocument());
             if (!result.isCompliant()) {
                 ui.onUIThreadDo(() -> ui.onPDFAComplianceCheckFailed(job));
             }
         });
     }
 
+    public void handleProtectedPdfDocument(AutogramDocument document) {
+        var protection = PDFUtils.determinePDFProtection(document.getDSSDocument());
+        if (protection == PDFUtils.PDFProtection.NONE)
+            return;
+
+        var password = ui.getDocumentPassword(document.getDSSDocument());
+        switch (protection) {
+            case OPEN_DOCUMENT_PASSWORD -> document.setOpenDocumentPassword(password);
+            case MASTER_PASSWORD -> document.setMasterPassword(password);
+        }
+    }
+
+    public SigningJob buildSigningJobFromFile(File file, Responder responder, boolean checkPDFACompliance, SignatureLevel signatureType, boolean isEn319132, TSPSource tspSource, boolean plainXmlEnabled) {
+        var document = SigningJob.createDSSFileDocumentFromFile(file);
+        handleProtectedPdfDocument(document);
+
+        var parameters = SigningJob.getParametersForFile(document, checkPDFACompliance, signatureType, isEn319132, tspSource, plainXmlEnabled);
+        return SigningJob.build(document, parameters, responder);
+    }
+
+    public void wrapInWorkThread(Runnable callback) {
+        ui.onWorkThreadDo(callback);
+    }
+
     public void startVisualization(SigningJob job) {
         ui.onWorkThreadDo(() -> {
-            if (PDFUtils.isPdfAndPasswordProtected(job.getDocument())) {
-                ui.onUIThreadDo(() -> {
-                    ui.showError(new AutogramException("Nastala chyba", "Dokument je chránený heslom", "Snažíte sa podpísať dokument chránený heslom, čo je funkcionalita, ktorá nie je podporovaná.\n\nOdstráňte ochranu heslom a potom budete môcť dokument podpísať."));
-                });
-                return;
-            }
-
             try {
                 var visualization = DocumentVisualizationBuilder.fromJob(job, settings);
                 ui.onUIThreadDo(() -> ui.showVisualization(visualization, this));
@@ -159,7 +184,7 @@ public void batchSign(SigningJob job, String batchId) {
         ui.onWorkThreadDo(() -> {
             try {
                 signCommonAndThen(job, batch.getSigningKey(), (jobNew) -> {
-                    Logging.log("GUI: Signing batch job: " + job.hashCode() + " file " + job.getDocument().getName());
+                    Logging.log("GUI: Signing batch job: " + job.hashCode() + " file " + job.getDocument().getDSSDocument().getName());
                 });
             } catch (AutogramException e) {
                 job.onDocumentSignFailed(e);

src/main/java/digital/slovensko/autogram/core/SignatureValidator.java

@@ -15,7 +15,7 @@
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
 
-import eu.europa.esig.dss.enumerations.ASiCContainerType;
+import digital.slovensko.autogram.model.AutogramDocument;
 import eu.europa.esig.dss.simplereport.SimpleReport;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -24,7 +24,6 @@
 
 import digital.slovensko.autogram.util.XMLUtils;
 import eu.europa.esig.dss.enumerations.SignatureLevel;
-import eu.europa.esig.dss.model.DSSDocument;
 import eu.europa.esig.dss.model.DSSException;
 import eu.europa.esig.dss.service.crl.OnlineCRLSource;
 import eu.europa.esig.dss.service.http.commons.CommonsDataLoader;
@@ -167,7 +166,7 @@ public static ValidationReports getSignatureCheckReport(SigningJob job) {
         return new ValidationReports(validator.validateDocument(), job);
     }
 
-    public static SimpleReport getSignedDocumentSimpleReport(DSSDocument document) {
+    public static SimpleReport getSignedDocumentSimpleReport(AutogramDocument document) {
         var validator = createDocumentValidator(document);
         if (validator == null)
             return null;

src/main/java/digital/slovensko/autogram/core/SigningJob.java

@@ -6,11 +6,11 @@
 import digital.slovensko.autogram.core.eforms.xdc.XDCBuilder;
 import digital.slovensko.autogram.core.eforms.xdc.XDCValidator;
 import digital.slovensko.autogram.core.errors.AutogramException;
+import digital.slovensko.autogram.model.AutogramDocument;
 import digital.slovensko.autogram.util.Logging;
 import eu.europa.esig.dss.asic.cades.signature.ASiCWithCAdESService;
 import eu.europa.esig.dss.asic.xades.signature.ASiCWithXAdESService;
 import eu.europa.esig.dss.cades.signature.CAdESService;
-import eu.europa.esig.dss.enumerations.MimeTypeEnum;
 import eu.europa.esig.dss.enumerations.SignatureLevel;
 import eu.europa.esig.dss.model.DSSDocument;
 import eu.europa.esig.dss.model.FileDocument;
@@ -24,16 +24,16 @@
 
 public class SigningJob {
     private final Responder responder;
-    private final DSSDocument document;
+    private final AutogramDocument document;
     private final SigningParameters parameters;
 
-    private SigningJob(DSSDocument document, SigningParameters parameters, Responder responder) {
+    private SigningJob(AutogramDocument document, SigningParameters parameters, Responder responder) {
         this.document = document;
         this.parameters = parameters;
         this.responder = responder;
     }
 
-    public DSSDocument getDocument() {
+    public AutogramDocument getDocument() {
         return this.document;
     }
 
@@ -46,8 +46,7 @@ public int getVisualizationWidth() {
     }
 
     public void signWithKeyAndRespond(SigningKey key) throws InterruptedException, AutogramException {
-
-        Logging.log("Signing Job: " + this.hashCode() + " file " + getDocument().getName());
+        Logging.log("Signing Job: " + this.hashCode() + " file " + getDocument().getDSSDocument().getName());
         boolean isContainer = getParameters().getContainer() != null;
         var doc = switch (getParameters().getSignatureType()) {
             case XAdES -> isContainer ? signDocumentAsAsiCWithXAdeS(key) : signDocumentAsXAdeS(key);
@@ -73,10 +72,10 @@ private DSSDocument signDocumentAsCAdeS(SigningKey key) {
         signatureParameters.setCertificateChain(key.getCertificateChain());
         signatureParameters.setSignWithExpiredCertificate(true);
 
-        var dataToSign = service.getDataToSign(getDocument(), signatureParameters);
+        var dataToSign = service.getDataToSign(getDocument().getDSSDocument(), signatureParameters);
         var signatureValue = key.sign(dataToSign, jobParameters.getDigestAlgorithm());
 
-        return service.signDocument(getDocument(), signatureParameters, signatureValue);
+        return service.signDocument(getDocument().getDSSDocument(), signatureParameters, signatureValue);
     }
 
     private DSSDocument signDocumentAsAsiCWithXAdeS(SigningKey key) {
@@ -91,10 +90,10 @@ private DSSDocument signDocumentAsAsiCWithXAdeS(SigningKey key) {
         if (signatureParameters.getSignatureLevel().equals(SignatureLevel.XAdES_BASELINE_T))
             service.setTspSource(getParameters().getTspSource());
 
-        var dataToSign = service.getDataToSign(getDocument(), signatureParameters);
+        var dataToSign = service.getDataToSign(getDocument().getDSSDocument(), signatureParameters);
         var signatureValue = key.sign(dataToSign, getParameters().getDigestAlgorithm());
 
-        return service.signDocument(getDocument(), signatureParameters, signatureValue);
+        return service.signDocument(getDocument().getDSSDocument(), signatureParameters, signatureValue);
     }
 
     private DSSDocument signDocumentAsXAdeS(SigningKey key) {
@@ -107,10 +106,10 @@ private DSSDocument signDocumentAsXAdeS(SigningKey key) {
         signatureParameters.setCertificateChain(key.getCertificateChain());
         signatureParameters.setSignWithExpiredCertificate(true);
 
-        var dataToSign = service.getDataToSign(getDocument(), signatureParameters);
+        var dataToSign = service.getDataToSign(getDocument().getDSSDocument(), signatureParameters);
         var signatureValue = key.sign(dataToSign, jobParameters.getDigestAlgorithm());
 
-        return service.signDocument(getDocument(), signatureParameters, signatureValue);
+        return service.signDocument(getDocument().getDSSDocument(), signatureParameters, signatureValue);
     }
 
     private DSSDocument signDocumentAsASiCWithCAdeS(SigningKey key) {
@@ -126,10 +125,10 @@ private DSSDocument signDocumentAsASiCWithCAdeS(SigningKey key) {
         if (signatureParameters.getSignatureLevel().equals(SignatureLevel.CAdES_BASELINE_T))
             service.setTspSource(getParameters().getTspSource());
 
-        var dataToSign = service.getDataToSign(getDocument(), signatureParameters);
+        var dataToSign = service.getDataToSign(getDocument().getDSSDocument(), signatureParameters);
         var signatureValue = key.sign(dataToSign, jobParameters.getDigestAlgorithm());
 
-        return service.signDocument(getDocument(), signatureParameters, signatureValue);
+        return service.signDocument(getDocument().getDSSDocument(), signatureParameters, signatureValue);
     }
 
     private DSSDocument signDocumentAsPAdeS(SigningKey key) {
@@ -141,19 +140,20 @@ private DSSDocument signDocumentAsPAdeS(SigningKey key) {
         signatureParameters.setSigningCertificate(key.getCertificate());
         signatureParameters.setCertificateChain(key.getCertificateChain());
         signatureParameters.setSignWithExpiredCertificate(true);
+        signatureParameters.setPasswordProtection(document.getSigningPassword());
 
         if (signatureParameters.getSignatureLevel().equals(SignatureLevel.PAdES_BASELINE_T)) {
             service.setTspSource(getParameters().getTspSource());
             signatureParameters.setContentSize(9472*2);
         }
 
-        var dataToSign = service.getDataToSign(getDocument(), signatureParameters);
+        var dataToSign = service.getDataToSign(getDocument().getDSSDocument(), signatureParameters);
         var signatureValue = key.sign(dataToSign, jobParameters.getDigestAlgorithm());
 
-        return service.signDocument(getDocument(), signatureParameters, signatureValue);
+        return service.signDocument(getDocument().getDSSDocument(), signatureParameters, signatureValue);
     }
 
-    public static FileDocument createDSSFileDocumentFromFile(File file) {
+    public static AutogramDocument createDSSFileDocumentFromFile(File file) {
         var fileDocument = new FileDocument(file);
 
         if (fileDocument.getName().endsWith(".xdcf"))
@@ -165,12 +165,13 @@ else if (isXDC(fileDocument.getMimeType()) || isXML(fileDocument.getMimeType())
         else if (isTxt(fileDocument.getMimeType()))
             fileDocument.setMimeType(AutogramMimeType.TEXT_WITH_CHARSET);
 
-        return fileDocument;
+        return new AutogramDocument(fileDocument);
     }
 
-    private static SigningJob build(DSSDocument document, SigningParameters params, Responder responder) {
+    public static SigningJob build(AutogramDocument autogramDocument, SigningParameters params, Responder responder) {
+        DSSDocument document = autogramDocument.getDSSDocument();
         if (params.shouldCreateXdc() && !isXDC(document.getMimeType()) && !isAsice(document.getMimeType()))
-            document = XDCBuilder.transform(params, document.getName(), EFormUtils.getXmlFromDocument(document));
+            autogramDocument = new AutogramDocument(XDCBuilder.transform(params, document.getName(), EFormUtils.getXmlFromDocument(document)));
 
         if (isTxt(document.getMimeType()))
             document.setMimeType(AutogramMimeType.TEXT_WITH_CHARSET);
@@ -180,47 +181,37 @@ private static SigningJob build(DSSDocument document, SigningParameters params,
             document.setName(getXdcfFilename(document.getName()));
         }
 
-        return new SigningJob(document, params, responder);
-    }
-
-    public static SigningJob buildFromRequest(DSSDocument document, SigningParameters params, Responder responder) {
-        return build(document, params, responder);
-    }
-
-    public static SigningJob buildFromFile(File file, Responder responder, boolean checkPDFACompliance, SignatureLevel signatureType, boolean isEn319132, TSPSource tspSource, boolean plainXmlEnabled) {
-        var document = createDSSFileDocumentFromFile(file);
-        var parameters = getParametersForFile(document, checkPDFACompliance, signatureType, isEn319132, tspSource, plainXmlEnabled);
-        return build(document, parameters, responder);
+        return new SigningJob(autogramDocument, params, responder);
     }
 
-    private static SigningParameters getParametersForFile(FileDocument document, boolean checkPDFACompliance, SignatureLevel signatureType, boolean isEn319132, TSPSource tspSource, boolean plainXmlEnabled) {
+    public static SigningParameters getParametersForFile(AutogramDocument document, boolean checkPDFACompliance, SignatureLevel signatureType, boolean isEn319132, TSPSource tspSource, boolean plainXmlEnabled) {
         var level = SignatureValidator.getSignedDocumentSignatureLevel(SignatureValidator.getSignedDocumentSimpleReport(document));
         if (level != null) switch (level.getSignatureForm()) {
             case PAdES:
-                return SigningParameters.buildForPDF(document, checkPDFACompliance, isEn319132, tspSource);
+                return SigningParameters.buildForPDF(document.getDSSDocument(), checkPDFACompliance, isEn319132, tspSource);
             case XAdES:
-                return SigningParameters.buildForASiCWithXAdES(document, checkPDFACompliance, isEn319132, tspSource, plainXmlEnabled);
+                return SigningParameters.buildForASiCWithXAdES(document.getDSSDocument(), checkPDFACompliance, isEn319132, tspSource, plainXmlEnabled);
             case CAdES:
-                return SigningParameters.buildForASiCWithCAdES(document, checkPDFACompliance, isEn319132, tspSource, plainXmlEnabled);
+                return SigningParameters.buildForASiCWithCAdES(document.getDSSDocument(), checkPDFACompliance, isEn319132, tspSource, plainXmlEnabled);
             default:
                 ;
         }
 
-        if (isPDF(document.getMimeType())) switch (signatureType) {
+        if (isPDF(document.getDSSDocument().getMimeType())) switch (signatureType) {
             case PAdES_BASELINE_B:
-                return SigningParameters.buildForPDF(document, checkPDFACompliance, isEn319132, tspSource);
+                return SigningParameters.buildForPDF(document.getDSSDocument(), checkPDFACompliance, isEn319132, tspSource);
             case XAdES_BASELINE_B:
-                return SigningParameters.buildForASiCWithXAdES(document, checkPDFACompliance, isEn319132, tspSource, plainXmlEnabled);
+                return SigningParameters.buildForASiCWithXAdES(document.getDSSDocument(), checkPDFACompliance, isEn319132, tspSource, plainXmlEnabled);
             case CAdES_BASELINE_B:
-                return SigningParameters.buildForASiCWithCAdES(document, checkPDFACompliance, isEn319132, tspSource, plainXmlEnabled);
+                return SigningParameters.buildForASiCWithCAdES(document.getDSSDocument(), checkPDFACompliance, isEn319132, tspSource, plainXmlEnabled);
             default:
                 ;
         }
 
-        return SigningParameters.buildForASiCWithXAdES(document, checkPDFACompliance, isEn319132, tspSource, plainXmlEnabled);
+        return SigningParameters.buildForASiCWithXAdES(document.getDSSDocument(), checkPDFACompliance, isEn319132, tspSource, plainXmlEnabled);
     }
 
     public boolean shouldCheckPDFCompliance() {
-        return parameters.getCheckPDFACompliance() && isPDF(document.getMimeType());
+        return parameters.getCheckPDFACompliance() && isPDF(document.getDSSDocument().getMimeType());
     }
 }

src/main/java/digital/slovensko/autogram/core/SigningParameters.java

@@ -6,6 +6,7 @@
 import digital.slovensko.autogram.core.errors.AutogramException;
 import digital.slovensko.autogram.core.errors.SigningParametersException;
 import digital.slovensko.autogram.core.errors.UnknownEformException;
+import digital.slovensko.autogram.model.AutogramDocument;
 import digital.slovensko.autogram.util.AsicContainerUtils;
 import digital.slovensko.autogram.core.eforms.EFormUtils;
 import digital.slovensko.autogram.core.eforms.xdc.XDCValidator;

src/main/java/digital/slovensko/autogram/core/eforms/xdc/XDCBuilder.java

@@ -11,9 +11,9 @@
 import static digital.slovensko.autogram.util.XMLUtils.getSecureDocumentBuilder;
 
 import eu.europa.esig.dss.enumerations.DigestAlgorithm;
+
 import eu.europa.esig.dss.model.DSSDocument;
 import eu.europa.esig.dss.model.InMemoryDocument;
-
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.xml.sax.InputSource;